[原文]Opera allows remote attackers to cause a denial of service (invalid memory reference and application crash) via a web page or HTML email that contains a TBODY tag with a large COL SPAN value, as demonstrated by mangleme.

-
漏洞信息

-
公告与补丁

This issue will be reportedly addressed in Opera 7.60. --- Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

-
漏洞讨论

A memory corruption vulnerability exists in Opera. This issue may be triggered if an excessive COL SPAN is specified in the TBODY tag. The issue could result in a minor denial of service condition.

-
漏洞利用

This issue was discovered with the mangleme Web fuzzer:

http://lcamtuf.coredump.cx/soft/mangleme.tgz

The following proof-of-concept is also available:

http://lcamtuf.coredump.cx/mangleme/gallery/opera_die1.html

---Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

-
解决方案

This issue will be reportedly addressed in Opera 7.60.

---
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.